Splunk Search

How to add new Lookup?

Sven1
Path Finder

I am working to leverage the below query for 'Stale Account Usage' from Splunk Security Essentials Docs, which uses lookup "account_status_tracker".

The  'How to Implement' guidance includes: "The only step you'll need to take is to create a lookup called account_status_tracker, and have authentication data in Common Information Model format. " 

From the "Add New" lookup webpage, it is not clear how I assign an appropriate "Lookup File" that will the necessary fields in CIM format. I have looked through Splunk docs and other likely resources, with no strong hits. I admit this is an area new to me. 

My question is: what steps do I need to take to define this lookup, including assigning an appropriate "Lookup File"?  When I select existing authentication-related files as the "Lookup File", I receive error messages, for example:  "Cannot find the destination field 'count' in the lookup table...

And leads greatly appreciated. 

index=* source="*WinEventLog:Security" action=success
| stats count min(_time) as earliest max(_time) as latest by user
| multireport
[| stats values(*) as * by user
| lookup account_status_tracker user OUTPUT count as prior_count earliest as prior_earliest latest as prior_latest
| where prior_latest < relative_time(now(), "-90d")
| eval explanation="The last login from this user was " . (round( (earliest-prior_latest) / 3600/24, 2) ) . " days ago."
| convert ctime(earliest) ctime(latest) ctime(prior_earliest) ctime(prior_latest) ]
[| inputlookup append=t account_status_tracker
| stats min(earliest) as earliest max(latest) as latest sum(count) as count by user
| outputlookup account_status_tracker
| where this_only_exists_to_update_the_lookup='so we will make sure there are no results']

Labels (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Usually, the first step to adding a lookup is to put a CSV file on the server in one of Splunk's 'lookups'  directories.  Then use the GUI to reference that file.

You also can use the Lookup File Editor app to create a new lookup file from the GUI.

---
If this reply helps you, Karma would be appreciated.

Sven1
Path Finder

@richgalloway: Thank you.  After reading the guidance,  "The only step you'll need to take is to create a lookup called account_status_tracker, and have authentication data in CIM format" I grabbed the current authentication CIM (Authentication - Splunk Documentation), but then held off on pushing to create the lookup.  For example, I noticed that while the lookup will attempt to OUTPUT field "count", the authentication CIM does not include a "count" field.  So, I was just taking a step back and seeing if there is any other information needed to best implement this solution. 

Again, thank you. 

0 Karma
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...